DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Transcription

1 : DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1

2 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s Internet traffic passing through the global public NTT network. As a provider with world-wide coverage managing this much bandwidth, one of NTT s important tasks is to mitigate large distributed denial of service attacks (DDoS). These attacks historically have focused on flooding a victim s networks with so much data or activity that legitimate services are rendered unavailable. These volume-based attacks are very different from application DDoS attacks (such as that described in the Web Application DDoS Attack case study in Section F.4 of this report), which consume application processing resources. The distribution of DDoS attacks (by type of attack) observed by NTT in 2014 is presented in the following chart. DDOS BY TYPE NTP Amplification Multi-vector TCP SYN SSDP Amplification DNS Amplification Other 0% 7% 14% 21% 28% 35% Caption: NTP amplification leads the number of attacks by type of attack. 2

3 63 percent of all DDoS attacks observed were related to UDP based protocols and services (NTP, SSDP and DNS). Discussions of different DDoS attack types observed in 2014 are presented below. NTP Amplification Attacks With 32 percent of all DDoS attacks during 2014, the most common type of attack we observed was the Network Time Protocol (NTP) amplification attack. In this attack, an attacker changes the source address of an NTP query to the intended victim s address, then sends the maliciously spoofed query to one or more NTP servers. The NTP servers respond to the IP address of the victim (the spoofed source address). The amplification components of the attack are what make it interesting. A very small query to an NTP server can produce a very large response if using particular NTP options. TCP SYN Flood Attacks Another of the largest types of DDoS attacks, with 16 percent of the total, is also one of the oldest and most consistently observed over the years. The TCP SYN flood attack is performed by flooding the target network with a large number of TCP SYN requests which results in the exhaustion of available resources. If mitigating controls are not put in place, a malicious attacker can use this tactic to create a large number of partially-open connections to a server. This can exhaust all available sessions, preventing users from connecting to ports which would normally be accessible for legitimate services. Attackers can further ensure the success of SYN floods by employing different techniques to exhaust resources. This may include spoofing the source IP addresses, targeting multiple ports, attacking from multiple distributed sources, and the use of botnets. 3

4 SSDP Amplification Attacks Another type of DDoS traffic observed in 2014 was Simple Service Discovery Protocol (SSDP) amplification, which made up 9 percent of all DDoS attacks observed. SSDP was created to help devices discover and connect to each other, and is part of the Universal Plug and Play (UPnP) protocol. The protocol was first introduced in 1999 and by default uses UDP port 1900 for communication. Similar to other attacks such as DNS and NTP amplification, attackers send specially crafted requests to an SSDP enabled device and direct the response to the targeted system. Although the service defaults to UDP/1900 it can be directed to send responses to other ports and services. Since there is no shortage of SSDP enabled devices it is a good candidate for attackers to use during reflection and amplification based attacks. Several tools allow attackers to identify SSDP enabled devices and launch attacks. Botnets capable of performing SSDP DDoS attacks may use compromised home computing, network and residential applications to conduct attacks. Due to the wide use of SSDP, especially in residential applications such as network modem/ router bundles, wireless access points, and many home entertainment appliances and gaming systems, it is likely that SSDP DDoS attacks will continue. Unfortunately, most devices which implement SSDP enable this feature by default and it is unlikely that residential users will patch or disable these services. Multi-Vector Attacks In multi-vector attacks, combinations of different DDoS attack types are used during a single incident. Attackers will often initiate attacks using one method but may adapt their approach during the attack if the primary method of attack is not as effective as anticipated. 4

5 Alternatively, attackers may elect to use multiple methods of attack simultaneously to ensure their success. For example, attackers may start with NTP amplification but then use methods such as SYN flood, SSDP, application specific or other methods to amplify the effect of the attack. Multi-vector attacks can be a powerful tactic since this increases the chances of success. These attacks are also designed to overwhelm defenses and organizational staff. It can be a challenge for organizations to respond to multivector attacks since different attack techniques require different mitigation and defensive approaches. DDoS Mitigation Recommendations DDoS attacks have been around for some time. Preventive measures have had a chance to mature, and some measures have proven to be more reliable than others. While they must be evaluated in each organization s unique environment, NTT Group offers the following recommendations: Technical Recommendations: Organizations should look at implementing a layered approach to DDoS mitigation controls leveraging multiple technologies. Implement onsite application DoS mitigation services such as a web application firewall. Filter traffic at multiple points of ingress including the upstream ISP and via content distribution networks or scrubbing services. Third-party traffic scrubbing and filtering services can be valuable because they often anticipate the need to address multiple types of DDoS attacks. Implement dynamic bandwidth services which can scale bandwidth as an attack unfolds. This is not optimal as a long term solution but can help absorb some of the initial impact of an attack. 5

6 Many network firewalls, load balancers and servers support rate limiting or session timeouts. Ensure organizational staff understands the environment and tools which are already available. Understand the capabilities of the organizations and the ISP to handle TCP SYN flood attacks. Many ISPs implement detection for spoofed IP addresses and filter these by default. Keep in mind that ISPs often do a great job at filtering high-volume attacks, but smaller attacks may go unnoticed and not be filtered. Depending on the focus of the attack, host or application-based controls can help mitigate session or connection exhaustion. Ensure the organization follows system and service hardening guidelines to reduce misconfiguration issues and limit services running. Non-technical Recommendations: Ensure the organization understands not only its ability to detect a DDoS attack, but its ability to respond. Account for DDoS attacks in the organization s business continuity and disaster recovery plans. Evaluate the financial impact a DDoS attack would have on organizational operations and services. DDoS attacks are often used to mask other criminal activities. In the event of a DDoS attack, ensure the organization is remaining alert for other malicious activities which may be occurring (fraudulent wire transfers, other breaches, and data exfiltration from other network segments). Know who to call for support during a DDoS attack (SOC, vendors, ISPs, incident response teams). 6

A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial

the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point

Denial of Service Attacks, What They are and How to Combat Them John P. Pironti, CISSP Genuity, Inc. Principal Enterprise Solutions Architect Principal Security Consultant Version 1.0 November 12, 2001

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons Attribution-ShareAlike 4.0 International license. As a provider

the Availability Digest Prolexic a DDoS Mitigation Service Provider April 2013 Prolexic (www.prolexic.com) is a firm that focuses solely on mitigating Distributed Denial of Service (DDoS) attacks. Headquartered

: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations

TLP: AMBER GSI ID: 1079 SSDP REFLECTION DDOS ATTACKS RISK FACTOR - HIGH 1.1 OVERVIEW / PLXsert has observed the use of a new reflection and amplification distributed denial of service (DDoS) attack that

2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,

FortiDDoS DDoS Attack Mitigation Appliances Copyright Fortinet Inc. All rights reserved. What is a DDoS Attack? Flooding attack from compromised PCs run by a Botmaster The Botmaster s motivations may be

How to launch and defend against a DDoS John Graham-Cumming October 9, 2013 The simplest way to a safer, faster and smarter website DDoSing web sites is... easy Motivated groups of non-technical individuals

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons Attribution-ShareAlike 4.0 International license. As a provider

PREVENTIA Forward Thinking Security Solutions Stop DDoS Attacks in Minutes 1 On average there are more than 7,000 DDoS attacks observed daily. You ve seen the headlines. Distributed Denial of Service (DDoS)

Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

2015 GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY 1 EXECUTIVE SUMMARY INTRODUCING THE 2015 GLOBAL THREAT INTELLIGENCE REPORT Over the last several years, there has been significant security industry

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest

DDoS WHERE'S THE THREAT? and WHAT CAN YOU DO? 26th november 2016 Pieter Hanssens pieter.hanssens(at)belnet.be Thomas Eugène thomas.eugene(at)cert.be Presentation based on Whitepaper DDoS: Proactive and

DDoS Basics Introduction Distributed Denial of Service (DDoS) attacks are designed to prevent or degrade services provided by a computer at a given Internet Protocol 1 (IP) address. This paper will explain,

Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers Whitepaper SHARE THIS WHITEPAPER Table of Contents The Rising Threat of Cyber-Attack Downtime...3 Four Key Considerations

White paper Combating DoS/DDoS Attacks Using Cyberoam Eliminating the DDoS Threat by Discouraging the Spread of Botnets www.cyberoam.com Introduction Denial of Service (DoS) and Distributed Denial of Service

Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

What to Look for When Choosing a CDN for DDoS Protection Written by Bizety WHITE PAPER Introduction Every online company should be familiar with Distributed Denial of Service (DDoS) attacks and the risk

CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic

WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for

CPNI viewpoint 01/2008 DOMAIN NAME SYSTEM (DNS) may 2008 Abstract This Viewpoint considers some of the security considerations of the Domain Name System and makes some observations regarding how organisations

First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Gain comprehensive visibility into DDoS attacks and cyber-threats with easily accessible

Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0) US-CERT Summary US-CERT has been alerted to an increase in distributed denial of service (DDoS) attacks using spoofed recursive DNS

A Prolexic White Paper 12 Questions to Ask a DDoS Mitigation Provider Introduction Distributed Denial of Service (DDoS) attacks continue to make global headlines, but an important facet of each incident

Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service

& Preventing (Distributed Denial of Service) A Report For Small Business According to a study by Verizon and the FBI published in 2011, 60% of data breaches are inflicted upon small organizations! Copyright

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING 20 APRIL 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to